AppArmor policy update for os-brick and iSCSI

In iSCSI usecases including cinder-lvm, os-brick requires lock files such as: - /run/lock/nova/os-brick-connect_volume - /run/lock/nova/os-brick-connect_to_iscsi_portal-192.168.0.1 and lsscsi requires following access to compose a rescan command such as "/sys/bus/scsi/drivers/sd/2:0:0:0/rescan": - /dev/ - /sys/bus/scsi/devices/ Closes-Bug: #1979812 Related-Bug: #1939390 Change-Id: Id2db3a70b8d1287bda006f1bbc5442038f7070f1 (cherry picked from commit cf0f464391)
2022-06-24 23:22:54 +09:00
parent 28f0b70bce
commit b5e658d045
1 changed files with 3 additions and 1 deletions
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@@ -31,6 +31,7 @@
  deny /* w,

  /bin/* rix,
+  /dev/ r,
  /dev/disk/** r,
  /dev/disk/by-id/* r,
  /dev/mapper/control wr,
@@ -72,7 +73,7 @@
  /run/libvirt/libvirt-sock rw,
  /run/lock/iscsi/ rw,
  /run/lock/iscsi/** rwl,
-  /run/lock/nova/nova-iptables wk,
+  /run/lock/nova/* wk,
  /run/lock/qemu-nbd-nbd* w,
  /run/openvswitch/db.sock rw,
  /{usr/,}sbin/blockdev rix,
@@ -90,6 +91,7 @@
  /{usr/,}sbin/e2label rix,
  /{usr/,}sbin/tune2fs rix,
  /sys/block/ r,
+  /sys/bus/scsi/devices/ r,
  /sys/class/fc_host/{,**} r,
  /sys/class/iscsi_host/ r,
  /sys/class/iscsi_session/ r,